- Allow thumb domain sendto via dgram sockets. BZ(1398813)
- Add condor_procd_t domain sys_ptrace cap_userns BZ(1411077)
- Allow cobbler domain to create netlink_audit sockets BZ(1384600)
- Allow networkmanager to manage networkmanager_var_lib_t lnk files BZ(1408626)
- Add dhcpd_t domain fowner capability BZ(1409963)
- Allow thumb to create netlink_kobject_uevent sockets. BZ(1410942)
- Fixes for containers
- Allow virt domain to use interited virtlogd domains fifo_file
- Allow glusterd_t to bind on glusterd_port_t udp ports.
- Revert "Allow glusterd_t to bind on med_tlp port."
- Allow glusterd_t to bind on med_tlp port.
- Update ctdbd_t policy to reflect all changes.
- Allow ctdbd_t domain transition to rpcd_t
- Allow zabbix_agent_t domain setrlimit BZ(1349998)
- Allow pptp_t to read /dev/random BZ(1404248)
- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t
- Allow systemd to stop glusterd_t domains.
- Allow setfiles_t domain rw inherited kdumpctl tmp pipes BZ(1356456)
- Allow user_t run systemctl --user BZ(1401625)
- Revert "Label tcp port 24009 as med_tlp_port_t"
- Label tcp port 24009 as med_tlp_port_t
- Allow systemd_gpt_generator_t to read efivarfs files. BZ(1403909)
- Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323)

- Allow attach usb device to virtual machine BZ(1276873)
- Dontaudit mozilla_plugin to sys_ptrace
- Allow nut_upsdrvctl_t domain to read udev db BZ(1375636)
- Fix typo
- Allow geoclue to send msgs to syslog. BZ(1371818)
- Allow abrt to read rpm_tmp_t dirs
- Add interface rpm_read_tmp_files()
- Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain.
- Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger service
- Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasm
- Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_t
- Allow mdadm_t to getattr all device nodes
- Dontaudit gkeyringd_domain to connect to system_dbusd_t
- Add interface dbus_dontaudit_stream_connect_system_dbusd()
- Allow guest-set-user-passwd to set users password.
- Allow domains using kerberos to read also kerberos config dirs
- Add kdymp_t domain sys_admin capability BZ(1357949)
- Allow dnssec_trigger to exec ldconfig
- Allow svirt_sandbox_domains to r/w onload sockets
- Fix typo bugs in rsync and inetd SELinux modules
- Fixes for containers
- Idenitfy these domains as init daemons
- Allow samdbox domains to use msg class
- Allow add new interface to new namespace BZ(1375124)
- Dontaudit domain to create any file in /proc. This is kernel bug.
- Add new interface fs_getattr_oracleasmfs_fs()
- Add interface fs_manage_oracleasm()
- Label /dev/kfd as hsa_device_t
- Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs
- Add transition rule that caller domain can create resolv.conf link file with correct label in sysnet_filetrans_named_content() interface
- Allow run sulogin_t in range mls_systemlow-mls_systemhigh.

- Add new domain ipa_ods_exporter_t BZ(1366640)
- Create new interface opendnssec_stream_connect()
- Dontaudit accountsd domain creating dirs in /root
- Dontaudit firewalld wants write to /root
- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t
- Allow certmonger to manage all systemd unit files
- Allow ipa_helper_t stream connect to dirsrv_t domain
- Update oracleasm SELinux module
- Label /usr/libexec/gsd-backlight-helper as xserver_exec_t. This allows also confined users to manage screen brightness
- Add new userdom_dontaudit_manage_admin_dir() interface
- Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type

- Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module
- Allow krb5kdc_t to read krb4kdc_conf_t dirs.
- Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run.
- Make confined users working again
- Fix hypervkvp module
- Allow ipmievd domain to create lock files in /var/lock/subsys/
- Update policy for ipmievd daemon. Contain:    Allowing reading sysfs, passwd,kernel modules   Execuring bin_t,insmod_t
- Allow systemd to stop systemd-machined daemon. This allows stop virtual machines.
- Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/

- collectd: update policy for 5.5
- Allow puppet_t transtition to shorewall_t
- Grant certmonger "chown" capability
- Boinc updates from Russell Coker.
- Allow sshd setcap capability. This is needed due to latest changes in sshd.
- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
- Revert "Fix typo in ssh policy"
- Get attributes of generic ptys, from Russell Coker.

- Fix typo bug in ssh policy

- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs.
- Allow glusterd daemon to get systemd status
- Allow logrotate dbus-chat with system_logind daemon
- Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files
- Add interface cron_read_pid_files()
- Allow pcp_pmlogger to create unix dgram sockets
- Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t.
- Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd()
- Create label for openhpid log files.
- Label /var/lib/ganglia as httpd_var_lib_t
- Allow firewalld_t to create entries in net_conf_t dirs.
- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals
- Allow systemd_hwdb_t to relabel /etc/udev/hwdb.bin file.
- Label /etc/dhcp/scripts dir as bin_t
- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.